Is your PKI bulletproof? How can you be sure? There is a lot more to PKI than most people realize. Even security conscious companies usually find themselves lacking some of the following check boxes that ensure they can pass the quality test.
Here are some questions to ask your organizations to see how bulletproof your PKI really is. If you can’t check these 6 areas, your Machine Identity Management has some quality concerns.
1. Consumer Education
Questions to ask:
- Do the appropriate end users understand certificate warnings or are the untrusted machine identities blocked?
- Do your administrators understand the basics parts of certificates and keys?
- Are strong documentation and other training materials available to users?
What to watch for:
Uneducated end users may click past a certificate warning because they want to do their job—only to find that they have been phished. We know this is the most likely entry point into any organization. Despite all the security software you can implement, if your users get phished, then all the access that they have, the bad guys may also have access to.
Uneducated administrators may also fall victim. Passing private keys around via email or to a third-party organization can undermine the entire security of PKI. Another potentially hazardous activity is taking shortcuts with wild card certificates or self-signed certificates—this type of behavior may also create a mess for you soon that will complicate the lifecycle of your PKI.
PKI: Are You Doing It Wrong?
2. Enforceable Policy
Questions to ask:
- Are users blocked from getting certificates they should not be asking for?
- Do users need to have someone ‘sign-off’ of their requests?
- Do you restrict which Certificate Authorities (CAs) are allowed to be used?
- Is key strength and validity set and locked?
What to watch for:
Enforcing policy for users can protect them from costly mistakes and helps answer difficult Auditing questions. This also streamlines getting work done as policies can auto populate critical fields in the Certificate Signing Request (CSR) to eliminate questions on what is or is not allowed throughout your organization.
3. Notification and Escalation
Questions to ask:
- Has a private key been download when perhaps it should not be?
- Is there a certificate or key in danger of expiring and the app owner has not acted on?
- Did a leaf certificate change unexpectedly?
- Is a root certificate expiring soon?
What to watch for:
Notifications that alert you to what is going on with your organization’s certificates may save you the stress of just hoping things are going okay. With proper notifications set up, you can be told as often as you like specific details about the health of your PKI inventory. Your Machine Identity Management should automatically alert you about things you need to know without your having to embark on a long investigative search.
4. Automation or DevOps Integration
Questions to ask:
- Do your Machine Identities rotate themselves?
- Do they have what it takes to automatically complete their refresh?
- Do you have a built-in solution to deliver the full certificate lifecycle?
What to watch for:
Automation is a big word that entails a lot of complexities. It makes you faster. It also makes you smarter, so you can expand and keep up with the growth of your business. Having built-in drivers for full automation or having the ability to integrate into special systems yourself lets you scale at speed, while staying safe and secure.
5. Audit Capabilities
Questions to ask:
- Can you tell your auditors who has access to your private keys?
- Are you made aware if a machine identity changes on any endpoint?
- Can you prove you are complying with mandates today?
What to watch for:
Imagine your auditor asking you to show the key strengths or algorithms in use across your organization. Imagine them wanting you to demonstrate who has access to that Wild Card certificate that has been passed around by email or network share, let alone demonstrating all the locations it is used.
Notifications, logging, permissions and enforced policy help you prove at the drop of a hat, where you sit with compliance. Working with your auditors to demonstrate a bullet proof PKI should be and can be simple. Run reports, and with numbers or graphs, you can quickly demonstrate that you are a world class PKI shop.
6. CA Agility
Questions to ask:
- Do you actively choose who you trust or whom you want to do business with?
- Can you recover quickly from a CA or root certificate vulnerability?
- How quickly can you adapt to the changing tide of who your root of trust is—or evolving CA capabilities?
What to watch for:
There are so many Certificate Authorities (CAs) out there and business is not stale as the demand for CAs constantly ebbs and flows. Between one company merging with another, discovered vulnerabilities or the capabilities changing, you should have the ability to update the bulk of your certificates and keys without it being a multiyear job. Your Machine Identity Management strategy—be it manual or automated—should let you adjust quickly to changes. When a machine needs to adapt, you should be able to accommodate immediately.
What comes next
When you have effectively addressed these 6 categories, your PKI becomes bullet proof. Your Machine Identity Management becomes robust enough to uphold and support your organization’s growth at speed—instead of being a bottleneck of confusion and contention. There is no platform trusted more, is more proven, or has as many enterprises relying on its developed expertise as The Venafi Trust Protection Platform. Let’s face it. It’s simply the best way to cover your unique uses cases and bulletproof your PKI.
Get Fast, Simple, SaaS-Based Private PKI With Venafi!
Related posts
- What Business Line Managers Should Know about Managing Machine Identities
- 5 Questions to Ask About Your PKI Certificate Management
- 4 Misconceptions about PKI that Deserve to be Debunked